I am running sophos XG in a VM using kvm libvirt.
I have a 4 port NIC (I350-t4) and 1 motherboard NIC.
One of the 4 port NIC is PCI passthrough as the WAN interface (connected to modem).
The other 3 NICs of the I350-t4 are bridged on the host for LAN.

This is working well. I can connect my laptop to one of the LAN NIC and get a DHCP address and firewalled internet also works.

Now, I want the host to be assigned an IP by Sophos guest and also get firewalled internet.

To do this, I assigned a static IP to the LAN bridge on the Host to 172.16.16.15 and gateway to 172.16.16.16.

The sophos XG VM has the static IP address set to 172.16.16.16 on the LAN.

From the Host, I can ping the Guest (172.16.16.16) as well as other machines on the LAN such as my laptop (172.16.16.17) and vice versa.

However, I can't access the internet on the host.

Now, I don't want a static IP for the host. I would like sophos to assign the IP using DHCP.
How do I achieve this?
And how do I get internet working on the host?